locked
Account lockout information RRS feed

  • Question

  • Hi,

    I'm trying to find out information on account lockouts on UAG.  We can see a user been locked out when they come in via our UAG's however we have no idea what exactly is locking out the account.  The error in the Security log on the UAG servers is generic without much information.  We publish Outlook Anywhere, OWA and ActiveSync via UAG and I cannot determine which of these is locking the specific user out.  Is there way to determine this?

    Thanks,

    Monday, January 12, 2015 11:11 AM

Answers

  • Do you have this key on the UAG ?

    HKLM\Software\Whalecom\e-gap\von\urlfilter 
     
    DWORD value:   FullAuthPassThru=1

    This should bypass the authentication on the UAG and go directly to the back end server, in case of Exchange, the exchange server should authenticate the connection and it should appear on your logs to be locked on the exchange server.
    Wednesday, February 4, 2015 10:40 AM

All replies

  • You need to enable auditing for your domain controllers and servers. It's done using group policies:

    Auditing for Domain Controllers:
    1. Navigate to Start > Programs > Administrative Tools > Group Policy
    Management.
    2. In the Group Policy Management console, expand the Forest:
    <domain_name> > Domains > <your_domain_name> > Domain Controllers node
    
    3. Right-click Default Domain Controllers Policy and select Edit from the popup
    menu.
    4. In the Group Policy Object Editor, under Computer Configuration, expand the
    Windows Settings > Security Settings > Local Policies node and select Audit Policy node
    
    5. Set the Audit Account Management parameter to ‘Success’, and Audit Logon
    Events and Audit Account Logon Events to ‘Failure’.
    
    Auditing for Domain:
    
    1. Navigate to Start > Programs > Administrative Tools > Group Policy
    Management.
    2. In the Group Policy Management console, expand the Forest: <domain_name> >  Domains > <your_domain_name> node
    3. Right-click the Default Domain Policy node and select Edit from the popup
    menu.
    4. In the Group Policy Object Editor, under Computer Configuration, expand the Windows Settings > Security Settings > Local Policy node and select the
    Audit Policy node
    5. Set the Audit logon events parameter to Failure.

    Then check for events with id 4740 in the Security logs. Additionally you may use Microsoft Account Lockout Tools or our free tool Netwrix Account Lockout Examiner


    --- Jeff (Netwrix)

    Wednesday, January 14, 2015 10:01 AM
  • Do you have this key on the UAG ?

    HKLM\Software\Whalecom\e-gap\von\urlfilter 
     
    DWORD value:   FullAuthPassThru=1

    This should bypass the authentication on the UAG and go directly to the back end server, in case of Exchange, the exchange server should authenticate the connection and it should appear on your logs to be locked on the exchange server.
    Wednesday, February 4, 2015 10:40 AM